Quantum Private Information Retrieval has linear communication complexity 
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In Private Information Retrieval (PIR), a client queries an n-bit database in order to retrieve an 
entry of her choice, while maintaining privacy of her query value. Chor, Goldreich, Kushilevitz, 
and Sudan showed that, in the information-theoretical setting, a linear amount of communication 
is required for classical PIR protocols (and thus that the trivial protocol is optimal). This linear 
lower bound was shown by Nayak to hold also in the quantum setting. Here, we extend Nayak's re- 
sult by considering approximate privacy, and requiring security only against "specious" adversaries, 
which are, in analogy to classical honest-but-curious adversaries, the weakest reasonable quantum 
adversaries. We show that, even in this weakened scenario, Quantum Private Information Retrieval 
(QPIR) requires n qubits of communication. From this follows that Le Gall's recent QPIR proto- 
col with sublinear communication complexity is not information-theoretically private, against the 
weakest reasonable cryptographic adversary. 



I. INTRODUCTION 

The cryptographic scheme of Private Information 
Retrieval (PIR) describes the problem of querying a 
database without suffering a loss in privacy. It was for- 
mally defined in 1998 by Chor, Goldreich, Kushilevitz, 
and Sudan jj]. Intuitively, not losing privacy through a 
query means that the database server does not learn any- 
thing about the client's input. An interesting question is: 
how much communication does a PIR protocol require? 
Sending the whole database to the client is a trivial PIR 
protocol, but it seems unsatisfactory with respect to the 
amount of communication. Are there better solutions? 
In the setting of one database server and information- 
theoretic privacy, the trivial protocol is optimal (even 
against honest-but-curious adversaries). This result was 
shown by Chor, Goldreich, Kushilevitz, and Sudan [4|. 

Quantum computation and quantum communication, 
compared to the classical model, allows for improved so- 
lutions to cryptographic tasks [2, LLZ| • A natural question 
thus arises: does quantum information allow PIR proto- 
cols with sublinear communication complexity? We call 
a PIR protocol where we make use of quantum resources 
a Quantum Private Information Retrieval (QPIR) proto- 
col. Nayak answered this question in the negative [la ]. 
with a proof sketch establishing a reduction to random 
access encoding. 1 There are also other fields where al- 
lowing quantum computation and communication failed 
to qualitatively improve the classical result. An example 
is bit commitment: as we know, perfect bit commitment 
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1 It has been claimed [13j that Nayak proved a lower bound for 
two-message quantum protocols only, when in fact, his claim en- 
compasses protocols with arbitrary interaction. We attribute this 
misunderstanding to the succinctness of Nayak's original write- 
up (the result and proof are only a few sentences long). 



is not possible in the classical setting; in the quantum 
setting it is also not possible [lj, H5( (but see Q for some 
quantum improvements that are possible). 

Recently, Le Gall presented a QPIR protocol with a 
sublinear amount of communication [131 ]. This result 
holds for a database that exactly follows the protocol 
specification. Motivated by this seemingly contradictory 
result, we study here the communication complexity of 
QPIR protocols that are secure against specious adver- 
saries. As defined by Dupuis, Nielsen, and Salvail [a], 
specious adversaries may deviate from the protocol, but 
only in a way that is essentially indistinguishable from 
the honest behaviour — they are a quantum analogue of 
classical honcst-but-curious adversaries, thus correspond- 
ing to the weakest reasonable cryptographic adversaries. 

a. Main result We show that, even in the case of ap- 
proximate privacy and approximate correctness, QPIR 
against specious adversaries has linear communication 
complexity. 2 This establishes that the adversarial model 
in Le Gall's analysis does not fulfill the weakest reason- 
able security definition and closes the topic of single- 
server, information-theoretic QPIR. 

b. Further Related Work Nayak's lower bound was 
generalized by Jain, Radhakrishnan, and Sen [8J], who 
showed a trade-off for the loss in privacy between the 
client and database. QPIR has also been studied in the 
scenario of multiple servers pU [III], in the scenario of 
symmetric privacy jllj , as well as in the scenario where a 
cheating server is detected (6J. An attempt for practical 
symmetric QPIR which is not unconditionally secure is 
made in |9j. 



2 This result has appeared as part of the M. Sc. thesis of one of 
the authors [l[. 



A. Specious adversaries 



B. Le Gall's QPIR protocol 



We call a party which follows a protocol honest. A 
correct protocol is a protocol that achieves its task, given 
that all the parties are honest. Clearly, every meaning- 
ful protocol has to be correct. If we now try to restrict 
the actions of an adversary as much as possible, we can- 
not violate the correctness requirement. This means, the 
weakest adversary has to appear honest. 

In classical cryptography there exists a notion of 
honest-but-curious adversaries, which models the above 
description. Such adversaries follow the protocol (hon- 
esty), but record everything they see and try to extract a 
secret (curiosity). A classical honest-but-curious adver- 
sary can do nothing more to break the privacy property 
of a protocol. 

Dupuis, Nielsen, and Salvail followed this spirit and in- 
troduced the quantum analog to the honest-but-curious 
adversaries, and called them specious [5[. The honesty 
property, as well as the curiosity property cannot be 
translated one-to-one from the classical to the quantum 
case. To get a meaningful model, the definition needs to 
capture the essence of being the weakest adversary, as 
described above. 

Attempting a translation from the classical to the 
quantum case, we see that a quantum adversary can also 
follow the protocol to be honest. Curiosity means to 
copy everything the adversary sees and extracting a se- 
cret from it. In general, copying is not possible because 
of the no-cloning theorem [18[ . Therefore, a protocol can 
force a quantum honest-but-curious adversary to forget. 
This motivates the need for a security guarantee not only 
at the end of the protocol, but also during the interaction. 

Quantum adversaries, on the other hand, can act in 
a way indistinguishable from an honest party. As an 
example, in some protocols it may be possible to delay 
measurements. This means, the adversary skips a mea- 
surement instruction and continues in superposition. At 
a later point in the protocol, if required, the adversary 
can perform the measurement, making it look like it was 
honest all the time. In other words, at any step during 
the execution of the protocol, we specify that the ad- 
versary should be able to provide some state that, when 
joined with the state held by the honest party, is indistin- 
guishable from the joint state of an honest interaction. 
This is the essence of the definition of specious adver- 
saries, which we define formally in Section [II CI 

While the concept of specious adversaries is not yet in 
widespread use in the quantum cryptographic commu- 
nity, purification attacks and the related purified adver- 
saries have long been known to present subtle challenges 
unique to the quantum world. Charles Bennett and Gilles 
Brassard were among the first to draw attention to this 
type of attack, proposing a quantum bit commitment 
scheme, together with an explicit purification attack |2|. 
Purified adversaries (who can be seen as delaying their 
input choices by sending entangled states) are easily seen 
to be a special case of specious adversaries. 



Recently, Le Gall presented a QPIR protocol with 
information-theoretic privacy |13J |. His protocol achieves 
a communication complexity of O (y/n), where n is the 
database size in bits. At first glance, this result seems to 
beat Nayak's lower bound of n. However, the price for 
this lower communication complexity is that the server 
must follow the protocol precisely. Hence, [13| considers 
a different model of adversaries. One naturally wonders if 
such gains can be achieved by specious adversaries. Our 
main result (Theorem |4]) rules out this possibility. 



II. FORMAL MODEL AND SECURITY 
DEFINITIONS 

In this section, we formally define our model and no- 
tions of correctness and privacy. First, wc give some basic 
notation. 



A. Notation 

Wc use calligraphic symbols to describe Hilbcrt spaces. 
Subscripts of quantum states and quantum operations 
usually denote the associated Hilbert spaces. Let A 
and B be two Hilbert spaces. By A ® B we denote the 
joint Hilbcrt space. The set L(A,B) is the set of all 
linear maps from A to B. The set L(A) = L(A 7 A) is 
the set of all linear maps on A. A quantum state is ei- 
ther expressed as a ket \x) or as a density operator p. 
Every state than can be written as \x) is pure, with cor- 
responding density operator |a;)(x|. The set S(A) is the 
set of all density operators on A. The identity operator 
on the space A is 1^ G L(A), for a joint space A® B 
we use \a.B- An operator U G L(A) is called unitary, 
if U^U = 1. In the expression A~B, the symbol ~ de- 
notes that the dimension of A equals the dimension of B 
(i.e., dim(_4) = dim(S)). The measurement outcome of 
a measurement M of a density operator p is expressed 
by M(p). 

Let p, a G S(A) be two density operators. We denote 
by IIpIIi = tr \p\ the trace norm of the density operator p. 
The trace distance between the two density operators p 
and a is defined as 



A(p,o-):=|l|p-o-|| 1 



(1) 



If p = \x)(x\ and a = \y)(y\ are pure, then we 
use the compact notation A(|x), \y)) interchangeably 
with A(\x)(x\, \y)(y\). 



B. Protocol definition 



As mentioned in Section II Al when defining secu- 
rity against specious adversaries, we must examine the 



system held by the adversary during the protocol. To 
this end, we first formally define a two-party quantum 
protocol. We base our definition on the strategy formal- 
ism of Gutoski and Watrous |7J], as well as on a defini- 
tion from Dupuis, Nielsen and Salvail |5[ (our scenario 
is simpler since our protocols do not make any explicit 
oracle calls) . Without loss of generality, we assume that 
party srf sends the first and last messages. 

Definition 1 (Two-party quantum protocol). An s- 
round, two-party protocol denoted II = (srf ' , 38, s) consists 
of: 

1. input spaces Aq and Bq for parties si and 38 
respectively, 

2. memory spaces A\ , . . . , A s for sf and B\,...,B S 
for 38 and communication spaces X\ , . . . , X a , 

yi,...,y.-u 

3. an s-tuple of quantum operations (s/\, . . . ,s/ s ) 
for sf, where si\ : L(Ao) (-> L(A\ ® Xi), and 
j4 ■.L{A i - 1 ®y i -i)^L{A i ®X i ), (2<i<s), 

4. an s-tuple of quantum operations (38\, ■ . . ,38 s ) 
for 38, where 38, : L(B l - 1 X % ) ^ L(B t y % ), 
(l<i<s- 1), and 38 s : L{B S - X <g> X s ) i-> L(B S ). 

If II = (si , 38, s) is an s-round two-party protocol, we 
define the state after the i-th step (1 < i < 2s), and upon 
input state p nl £ S(Aq <g> Bq <g> TV) , where TZ is a system 
of dimension dim(7?.) = dim(.4o) dim(So), as 

Pi (pin) '■ = (^+l)/2 <8> lB (i _ 1)/2 ,K) • • • 

(&i <8> 1m,k) (M ® ljBo.w) (An) , (2) 

for i odd, and 

Pi (Pin) '■ = (@i/2 ® 1A/ 2 ,r) • • ■ 

(#i <g> l Au n) (M ® lso.w) On) , (3) 

for i even. Note that the last round (round s) is only 
partial, since 38 s : L(B s -i (g) AT a ) n- L(B S ). We define the 
final state of protocol II = (si,38,s), upon input state 
Pin € S(A <E)B <EiTZ) as: 



(Pin) := Pis (Pin) 



(4) 



The communication complexity of II = (si, 38, s) is 
the total amount of quantum communication in the 
protocol (counted in terms of qubits), as given by 

£•=1 log(dim(A-0) + ££* log(dim(X)). 

Given a protocol II = (si,38,s), an adver- 
sary si for si is an s-tuple of quantum operations 
(si\,...,si s ), where s£\ : L(Aq) i-» L(A\ <Ei X x ), and 
sJ t \ L{A % -i®y t -i)^ L(A t ®X t ), (2 < i < s), with 
A\,...,A S being sf's memory spaces. We denote the 
final state of a protocol run with an adversary si 
by [J®38](p- m ). 

A special type of adversary for a protocol 
Ii= (si, 38, s), is a purified adversary, s/ for si 



that is described by unitaries (s/%, . . . ,s/ s ), where 
six ■■ L(Ao <g> Ao) ^ L(Ai ® A\ <g> A?i) and 

^ : £(A-i <8> A-i X-i) !->■ £(A ® A ® <*i), 
(2 < i < s), with auxiliary space ,4o °f sufficiently 
large dimension being initialized to the zero state. 
We refer to A\,...,A S as the purifying spaces and 
specify that tracing out the purifying space reverts 
the state to a state from the original protocol; in 
particular, this holds for the final state of the protocol: 
tr A .[s/ © 38] (pi n ) = [s/ © 38] (p in ) for all p in . It is not 
hard to see that such adversaries always exist (see, for 
instance [7j). The definition of a purified adversary, 38 
for 38 is obtained similarly as the definition for si. In 
particular, II = (si, 38, s) denotes the protocol where 
both parties s/ and 3§ are purified. 



C. Specious adversaries 

Recall the intuition that a specious adversary should 
be able, at each step of the protocol, to produce a state 
that, when joined with the honest party's state, is close 
(in trace distance) to the joint state of an honest exe- 
cution of the protocol. Dupuis, Nielsen, and Salvail Q 
give a definition for specious adversaries in the most gen- 
eral context. For the purposes of QPIR in our model, 
the following is an equivalent definition; we also define 
below ultimately specious adversaries, which are adver- 
saries that satisfy the criteria for speciousness at the last 
step of the protocol. 

Definition 2 (specious adversaries). Let II = (si,38,s) 
be an s-round two-party protocol. We say that an 
adversary s/ for s/ is e -specious if there exists a se- 
quence of quantum operations (J^i, . . . ,^2s), such that 
for all 1 < i < 2s and for all p in G S(A <E)B <E)TZ), 



J, 



L (A(i+l)/2) ^ L (Ai+i)/?)> i even 

L(Ai ® X i/2+ i) !->■ L(Ai X i/2+ i), i odd 



(5) 



2. for every input state p- m € S(Aq Bq <8> TV) , 

A((^®lB 1 ^)(p i (<Pi„)),/5 J (pin)) <£■ (6) 

We call an adversary s/ for s/ ultimately e -specious if 
there exists a quantum operation ,^ : L(A S ) i-> L(A S ) 
such that for every input state p- ln € S(Ao <8> Bq ® 7?.) , 



A((^®l B .,7l)( * 



(Pin)]),[^®^](/9in)])<£- 



(7) 



D. Definitions for QPIR 



Using the formalism developed so far, we now define 
QPIR protocols. In particular, we define a notion of ap- 
proximate correctness, together with a notion of approx- 
imate privacy against specious servers; correctness refers 



to the notion that the client should obtain the correct 
outcome at the end of the protocol, while privacy refers to 
the notion that the server should learn essentially noth- 
ing about the client's input via its interaction with the 
client. For specious adversaries, this corresponds to the 
intuitive notion that the servers's local density matrix at 
each step of the protocol should be independent of the 
client's input i; in other words, there must exist at each 
step of the protocol, a quantum map 5? that has access 
only to the server's input register and that reproduces, 
or simulates the server's local view. This is the stan- 
dard ideal-real world simulation-based security notion, 
that is simplified to the QPIR setting and required only 
for specious adversaries. 

We also consider ultimate privacy (i.e. the privacy con- 
dition holds at the end of the protocol) against purified 
servers, which is sufficient in order to show our result. 

Definition 3 (QPIR protocol). An s-round, n-bit Quan- 
tum Private Information Retrieval protocol is a two-party 
protocol IIqpir = {srf ', &, s), where srf is the server and 3& 
is the client. 

We call IIqpir (1 — 6)-correct if, for all inputs 
p in = \x)(x\a„ <£> |i)(«|s ) witn x = Xi,...,x n € {0, 1}™ 
and i £ {1, . . . ,n}, there exists a measurement Ai with 
outcome or 1 such that: 

Pr[M (tr A [e/ © &\ (p in )) =Xi]>l-6. (8) 

We call IIqpir (1 — e)-private against ^-specious 
servers if for every 7-specious server &/, there exists 
a sequence of quantum operations S\, . . . , y s -i where 
5?i : L(A ) i-> L(Ai <g> Vi), such that for all 1 < i < s - 1 
and for all p in € S(Aq <g> B <g> 11), 

A (tr^, ((.Y, <Z> l Bo .n)(Pin)) ,ixm, (&{*?,(**))) <e, 

(9) 

We call IIqpir ultimately (1 — e) -private against purified 
servers if for every purification srf of the server si there 
exists a quantum operation ,5? : L(Aq) H> L(A s <8> As), 
such that for all p m G S(Aq <8> Bo ® 1Z) , 



A (tr«, (y ® l BoiK ) (pi„), tr«, [tf®S8\ (#„)) < 



(10) 



III. TOOLS 



In this section, we present definitions and results that 
are used in the proof of our main result. 



A. Entropy 

Definition 4 (Shannon entropy). Let Px be a probabil- 
ity distribution over the alphabet X. Then the Shannon 
entropy H(Px) of Px is 

H(P X ) := - ]T Px(x)log(Px(x)) . (11) 

xex 



The Shannon entropy of a binary random variable is 
called binary entropy: 

Definition 5 (binary entropy). Let p be the probability 
of an event of a binary random variable. Then the binary 
entropy H hin (p) of p is 

H U n(p) ■= -plogp-(l -p)tog(l -p). (12) 



B. Trace distance and fidelity 

We have already encountered the trace norm and trace 
distance in Section Til Al Another measure of distance be- 
tween two density operators p and a is the fidelity, de- 
fined as 



F( P ,a) 



p 2 a- 



(13) 



For pure states \x), and \y) we define F(\x), \y)) 
as F( \x)(x\, \y)(y\). The following Lemma simplifies the 
calculation of the fidelity. 

Lemma 1 (Uhlmann's Lemma). The fidelity between 
Pa G S(A) and a a G S{A) is 

F(pa,v a )= max F(\<p)Afi,W}Afi) (14) 

\tp)A,B, \y>)A,B 

= . , max \{if\tp)A,B\ , (15) 

\<P/A,B, IV/A.B 

where the maximum is taken over all purifications 
of pa = trg \<p)((p\a,B an d ov e r all purifications of 
o-a = tre \4>)(4>\a,b- 

Recall the Fuchs-van de Graaf inequalities, relating the 
fidelity to the trace distance: 

Lemma 2 (Fuchs-van de Graaf inequalities). Let 
p,o~ G S(A) be density operators, then 



1 - F(p, a) < A(p, a) < ^1-F(p,a) 2 



(16) 



The following lemma states that, given two density 
matrices that are close in trace distance, it is possible, 
by acting only on the purifying subspacc, to transform 
a purification of one of the density matrices into an ap- 
proximate version of a purification of the other. 

Lemma 3. Let pat°~A €E S(A) be two e-close density 
operators such that 



A(PA,o- A ) < e 



(17) 



with respective purifications \ip)A,B & n d \iP)a,b- Then 
there exists a unitary Ug acting solely on B, such that 



A ( \v)a,b, {1a ® U B ) Hj) a ,b) < \/e{2 - e) . (18) 



Proof of Lemma\3\ Let p A ,o~ A € S(A) be two density 
operators such that A(p A , a A ) < e. By the first inequal- 
ity of Lemma [2] we get 



F{pa,°~a) > 1 ~e. 



(19) 



Let the state \ip) A ,e be an arbitrary purification of the 
density operator p A . By Lemma [1] there exists a purifi- 
cation \iI>'}a.b °f the density operator a A , such that 

F{pa,va) = F{\ V ) A ,b,W)a,b)- (20) 

Therefore, the fidelity lower bound (JT9"]) is also a lower 
bound for the fidelity between the pure states \ip) A ,e 
and \i/j')a.b- Using this in the second inequality of 
Lemma [2] yields 



A( \ V ) A ,B, W)a,b) <^-F{ \ip) A ,B, W)a,b) 2 • (21) 

By squaring both sides and plugging in (|19p we get 

A( \<p) A ,B, W)a,B? <l-F( \v) A>B , W)a,b? (22) 
<l-(l-e) 2 (23) 

= e(2 - e) . (24) 

Because purifications are equivalent up to unitary trans- 
formations on the purifying system, we thus get 



A ( \<p)a,b, (1-4 <8> Ug) \i>) A ,B) < y/e{2 - e) , (25) 
where 

(IUSUb) Wa,B= W)a,b- (26) 

D 



C. The Schmidt decomposition and its properties 

The Schmidt compression allows for a lossless compres- 
sion of a quantum state. We first describe the Schmidt 
decomposition. 

Theorem 1 (Schmidt decomposition). Let \i/j)a,B be a 
pure state shared between party si and party 8$ . Then 
there exists a set of orthonormal pure states { \a,i} A } f or 
party si ' , a set of orthonormal pure states { |6i)s} f or 
party 8§, a set of real coefficients {Xi} called Schmidt 
coefficients, and a positive integer r called Schmidt rank, 
such that 



\i>) 



A.B 



y^ Xi \a. 



i/A \°i)B 



(27) 



i=\ 



Because the spaces A and B use only r different or- 
thonormal pure states, both spaces can be compressed in- 
dependently to spaces of dimension r with [log r] qubits. 
This is known as Schmidt compression. 

The following theorem states that we can bound the 
Schmidt rank of a bipartite state resulting from a puri- 
fied two-party protocol. This theorem is attributed to 
Kremer |l2| (see Lemma 5). 



Theorem 2 (bound on Schmidt rank). Let 
If = (s/, 88, s) be a two-party quantum protocol with 
purified parties s/ and 88, and let pi n = \4>o)a,B be 
a pure product state. Suppose II has communication 
complexity c. Then [s/ © 88] (pi„) has Schmidt rank at 
most 2 C . 

Proof of Theorem [H In the following, we ignore unitary 
operations on either side during the protocol, because 
such operations do not increase the Schmidt rank. 

Let \4>d)A,B be the shared state after d qubits have 
been communicated and let 



14, 



>A,B 



i=\ 



Xi \a i ) A \b i ) l 



(28) 



be the corresponding Schmidt decomposition. The terms 
belonging to party s/ from the Schmidt decomposi- 
tion (|2"5jl can be expanded as 



\<nU = on \a1) Ae \0) Ar + ft \a\) At |1). 



(29) 



Without loss of generality, assume that in the next step 
in the protocol, the qubit from the space A r is sent from 
party s/ to party 88. By plugging in the expanded ex- 
pression (|29|) into the Schmidt decomposition (|28|) . we 
get 



1=1 

(30) 

r 

= Y, Ai«i \a1 ) Al \0) Ar \bi) B + A*ft \a\) At \l) Ar \h) B . 

i=\ 

(31) 

Hence the transmission of one qubit at most doubles the 
number of summands, which is an upper bound of the 
Schmidt rank of the new Schmidt decomposition into 
the spaces At and A r ® B. By assumption, the initial 
state \<Po)a.B h as Schmidt rank 1. Therefore, after com- 
municating c qubits the Schmidt rank is at most 2 C . D 

D. Random access encoding 

A random access encoding is an encoding of classical 
database as a density operator, such that any database 
item can be extracted with a certain probability using 
a measurement which is independent of the database. 
It is easy to see that the message of a single-message 
QPIR protocol is a random access encoding of the server's 
database. We state the definition of random access en- 
coding and a theorem on their size; here, we consider 
the average case scenario, which follows from Nayak's 
work [16| (see also [T(|, Appendix B). 

Definition 6 (Random Access Encoding). An 
(n,m,p) -random access encoding is a function / 



that maps n-bit strings to density operators over m 
qubits, such that, for every i G {1, ...,n}, there exists 
a measurement Aii with outcome or 1 that has the 
property that on average over all x € {0, 1} , 



Pr[Mi(f(x))=Xi] > P . 



(32) 



Theorem 3 (size of Random 
Any (n,m,p) -random access 
m > (1 - H bm (p))n. 



Access Encoding). 
encoding satisfies 



IV. MAIN THEOREM 



In this section, we present our main result and related 
corollaries. The proof is given in Section llVBl 



A. Results 

Our main result is the following. 

Theorem 4. Let IIqpir = (&/, 38, s) be an s-round, li- 
bit QPIR protocol, that is (1 — 5) -correct and ultimately 
(1 — e)-private against purified servers. Then IIqpir has 
communication complexity of at least 



1 - H bin (l-S- 2Ve(l " < 



(33) 



The above theorem is an extension of Nayak's result on 
QPIR [l6( to approximate privacy, and requiring security 
only against a purified server at the end of the protocol. 
It is easy to see that a purified server is specious (see Sec- 
tion QlB]). Therefore, any QPIR protocol that is (1 — e)- 
private against 7-specious servers is also (1 — e)-private 
against purified serves. Trivially such a protocol is ul- 
timately (1 — e) -private against purified servers. Hence, 
by Theorem E] we get. 

Corollary 1. Let IIqpir = (&f,33,s) be an s-round, n-bit 
QPIR protocol that is (1 — S)-correct and (1 — e)-private 
against ^-specious servers. Then for any 7, IIqpir has 
communication complexity of at least 



(l - H bin (l-S- 2y/e(l-e] 



(34) 



Let S and e be nonnegative and negligible functions 3 
with respect to n. Then for any 7, the communication 
complexity as given in Corollary [1] at least n — o(l). In 
sharp contrast to this, in Le Gall's model (that considers 
an adversary that follows the protocol exactly) , the com- 
munication complexity is O (y/n)', we therefore obtain the 
following corollary. 



3 A nonnegative function fj, is called negligible with respect to n if 
for all c > and all sufficiently large n, n(n) < n~ c . 



Corollary 2. Le Gall's QPIR protocol is not private 
against 7 -specious adversaries, for any 7. 

An alternate proof of Corollary [5J via an explicit 
specious attack, can be found in [l| . 



B. Proof of Theorem g] 

The main technique used in the proof of Theorem [4] 
is to reduce a given QPIR protocol to a random access 
encoding, and then apply Nayak's lower bound as estab- 
lished by Theorem |31 This is the same technique as used 
by Nayak in his lower bound proof for QPIR, which we 
extend here to the case of approximate privacy against 
ultimately specious servers. 

As a starting point to understanding the reduction, 
note that any single-message QPIR protocol (where one 
message is sent from the server to the client) implements 
a random access encoding. Hence, the lower bound on 
the size of the random access encoding is also a lower 
bound on the communication complexity for the single- 
message QPIR protocol. We generalize this idea to ul- 
timately (1 — e)-privatc against purified servers, multi- 
round QPIR protocols by reducing the multi-round pro- 
tocol to a single-message protocol, and hence to a ran- 
dom access encoding. Taking care that this procedure 
does not increase the amount of communication allows 
us to apply the lower bound on the size of the random 
access encoding to the communication complexity of the 
multi-step QPIR protocol, thus establishing the result. 

Proof of TheoremU\ Let Hqpir be an s-round, n-bit, 
(1 — <5)-correct Quantum Private Information Retrieval 
protocol that is ultimately (1 — e)-private against puri- 
fied servers and that has communication complexity c. 

Consider Hqp\r(£/ , 38) , the modification of Hqpir, 
where both parties, si and 38, are purified, as described 
in Section III Bl We denote by S w A s ® A s the server's 
subspace, and hy C ~ B s ® B s the client's subspace at 
the end of the protocol. Furthermore, let 



Vl>x 



i)S,C ■' 



r © &\(\x)(x\® \i)(i\) ; (35) 



that is, \ipx,i)s,C is the global state at the end of the 
protocol Hqp\r(&/ , 38) , with inputs x G {0,1}™ for the 
database and i£ {1, . . . , n} for the index. 

Encoding. Given Hqp\r(jz/, 3$), we derive a random 
access encoding in the following way: the server simulates 
the purified version Hqp\r(£/ , 3£) of the protocol Hqpir 
with inputs \x) as database input and index |i) = |1). 
The joint output is \tp x ,i)s,e- 

Consider |£)x>e, the uniform superposition of all pos- 
sible databases 



\0~db : — 



1 



/On ±- — ' 

" J)£{0,1}" 



\X)VB, 



(36) 



and let 



k> 



s.c ■ 



= W®@]{\£)vb® \i)) (37) 

=4f E fo>w- ( 3g ) 



x£{0,l}" 



By Theorem [51 the Schmidt decomposition of |fi)s,c 
into the subspace 5 and C has Schmidt rank at most 2 C . 
Hence there exists a Schmidt compression of the sub- 
space C into at most c qubits. By linearity, this map 
can be used to compress (and decompress) \tp x ,\)s,C for 
any x € {0, 1}™. The server applies this compression on 
system C of \4> x ,i)s,c- Let the result of the compres- 
sion be IV'S i)<s,C- The server outputs as encoding of 
database x the state of the subsystem C: 



trs|^,i>$!,ikc 



(39) 



Decoding. Given the output of the Encoding al- 
gorithm, the client applies the inverse operation of the 
Schmidt compression obtained above in order to recover 
the joint state corresponding to the input i = 1: 



\^x, 



1/S.C 



(40) 



However, the client would like to recover the joint state 
for an arbitrary i. To this end, consider again |£)x>g, 
the uniform superposition of databases as database in- 
put, and fix i G {l,...,n} as index input. Let the 
corresponding input state be p\^ . By the privacy 
condition (Equation I10[) . there exists a quantum map 
y : L(A ) >-¥ L(A S <£> A s ), such that 



A 



(tr«. {.y <g> l Bo ,n) (pf£), tr^ s K © &\ (p\£ 



< e. 



(41) 



Since for all i € {1, . . . , n} 

Xt SSs {y ® l Bo ,n) (pt) = tr*. {•? ® ISo.Ti) (/4?) (42) 
and 

tr« s K © &\ (4; ? ) = tr c K © J] (p^) (43) 

= tr c |vi>5,c , (44) 

by the triangle inequality, we get that for all 
i e {l,...,n}, 



A(trch)5,c J tr c h>s,c)<2e. 



(45) 



Thus by Lemma[31 for every i £ {1, . . . , n}, there exists 
ji- 



a unitary U^ 2 acting only on the client's subspace, such 



that 



A ((l s ® U c ^) |^) 5 , c , |^) 5 ,c) < 2Ve(l-e). (46) 

Because the trace distance does not increase under mea- 
surements, we simply measure the space T>B of the states 



from the inequality (|46[) and obtain that for a uniform 
random x £ {0, 1} 



A((l, 



U C " 



fe, 



1 s.c 



\i> 



x.iJS.C 



<2yje{l-e). 



(47) 

Hence, on average over all databases x £ {0, 1}", this 
family {U c -H } . of unitary operators can be used to con- 
struct a 2-^/e(l — e)-close approximation. 

It remains to calculate the recovery probability of 
the constructed random access code. The QPIR pro- 
tocol Hqpir is (1 — 6)-correct and hence there exists a 
measurement that recovers the desired bit with a proba- 
bility of at least 1 — 8. The family of unitary approxima- 
tion transformations |U C - *' 1 }., used to approximate the 
global state, induces a loss in the recovery probability. 
The approximation is 2y / e(l — e)-close. 

Hence the QPIR protocol yields a random ac- 
cess encoding with recovery probability of at least 
1 — 8 — 2^/e(l — e). By applying Nayak's Theorem [3l 
we get that any rt-bit, (1 — <5)-correct, ultimately 
(1 — e)-private against purified servers QPIR protocol 
has communication complexity of at least 



l-H hin (l-6-2y/e(l-e) 



(48) 
□ 



It is interesting to note that the reason why this lower 
bound proof is not applicable to the model in [13( is that 
we do not have the privacy condition of Equation llOl In 
other words, the possibility of Le Gall's result is a direct 
consequence of the fact that security is guaranteed only 
for classical inputs, that is, the adversary is forced to se- 
lect a classical database at the beginning of the protocol, 
or equivalcntly, is forced to measure any superposition of 
databases that it might receive as input. 



V. CONCLUSION AND OPEN QUESTIONS 

Using quantum computation and quantum commu- 
nication, non-trivial information-theoretic single-server 
QPIR protocols secure against any reasonable adversary 
do not exist. This work closes the topic of single-server 
and information-theoretic QPIR. 

An open question that remains, is whether there ex- 
ist other applications of the reduction from multi-step 
protocols to single-step protocols used in the proof of 
the lower bound (see Section HV]) . In the reduction, wc 
show that any protocol with asymmetric privacy at the 
end of the protocol against one particular type of adver- 
saries, can be transformed to a single-step protocol. The 
resulting single-step protocol preserves the communica- 
tion complexity and the privacy property. This reduction 
could potentially be used to build offline protocols from 
a multi-step protocols. An offline protocol is a protocol, 
where the parties are not required to be involved in the 
protocol at the same time. This could be advantageous 
under some circumstances. 
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